Monitoring Network Devices with OSSEC HIDS

OSSEC can be used to monitor a wide range of network devices. Switches, firewalls, and routers can be monitored for successful or failed logins, alerting if a port is down or if a vlan has changed, as well as reporting if there are any errors on the device. This can be accomplished via syslog data sent from the device (if supported) or through an SSH tunnel to the device in a agentless configuration. In this article, i will discuss the different methods which can be used to monitor network devices and cover some basics on Wazuh HIDS agentless configuration.

Method 1 Sending Syslog data from a network device to the OSSEC manager

First, we will cover sending syslog data from a network device to the OSSEC manager. If your device is listed here, then you can follow these instructions. Otherwise, see method 2 for OSSEC agentless monitoring

Devices supported via Syslog:

Cisco PIX, ASA and FWSM (all versions)

Cisco IOS routers (all versions)

Juniper Netscreen (all versions)

SonicWall firewall (all versions)

Checkpoint firewall (all versions)

Cisco IOS IDS/IPS module (all versions)

Sourcefire (Snort) IDS/IPS (all versions)

Dragon NIDS (all versions)

Checkpoint Smart Defense (all versions)

McAfee VirusScan Enterprise (v8 and v8.5)

Bluecoat proxy (all versions)

Cisco VPN concentrators (all versions)

VMWare ESXi 4.x

Case 1 Enabling syslog on a new OSSEC installation

When you perform a OSSEC Manager installation there a step to “enable remote syslog”, this is an option to set it as a syslog server.

From here, you will need to specify the configuration in the ossec.conf in order to receive the events from the agent. Under the connection tag we will need to add “syslog” to allow the syslog messages from the agents. Next we will need to specify the allowed devices, in this case, i added in every device in the 192.168.1.0/24 range. However, you can add individual IP’s if you choose.

Now any network device within that network (192.168.1.0/24) that is sending syslog data to the manager will be able to alert on authentication failures, ports going down, errors, etc.

If you receive the following error, this means that you haven’t specified an allowed-ip address. You need to add at least one IP in order for the remoted service to start.

ossec-remoted(1501): ERROR: No IP or network allowed in the access list for syslog. No reason for running it. Exiting.

Case 2 Enabling syslog on an existing manager

If you have an existing OSSEC manager but have not enabled the syslog feature, all you need to do to enable it is add the following to the ossec.conf. Of course, you will need to change the allowed-ips to your devices.

Next we need to enable agentless monitoring and register the host. There are two ways to do this, using SSH keys (recommended) or via password.

Enable the agent

$ /var/ossec/bin/ossec-control enable agentless

Register the host

$ /var/ossec/agentless/register_host.sh add root@example.net password

As mentioned above, you can create a ssh key as a secure method of connecting the network device to the ossec manager. And if you are really paranoid you can use something like this:

$ ssh-keygen -b 4096 -f .ssh/id_rsa4096 -C user@servername -o -a 1000

After you have configured the ossec.conf, enabled the agentlessd and registered the host you should now be ready to receive alerts.

Note: if you are using a debian or redhead server for your manager, and you would prefer to use passwords instead of SSH keys, you will need to install the expect libraries (apt-get install expect) in order to execute the agentlessd scripts.

Remember you can trouble shoot issues by watching the logs for errors.